inside out hacking

8/6/2019 Inside Out Hacking

1/22

2006-Aug-30

St. Louis Security Group

Christopher Byrd, CISSPSenior Security Engineer

SAVVIS Communications

Inside Out Hacking BypassingFirewalls


2/22

2

Quick Introduction

About MeChristopher Byrd, CISSP

Senior Security Engineer

[email protected]

www.riosec.com

About MetasploitPrimary developers H D Moore (hdm) and Matt Miller(skape)

www.metasploit.com

metasploit.blogspot.com


3/22

3

What is Metasploit (review)

The Metasploit Framework is an advanced open-source platform for developing, testing, and usingexploit code.

Original version written in Perl

Modular, scriptable framework


4/22

4

Metasploit 3

Written in RubySupports Linux, BSD, MacOSX, Windows (with cygwin)

Modular, scriptable framework

Mixins for common protocols

Using mixins, exploits can be written in as few as3

lines of code!

Auxiliary modules


5/22

5

Metasploit Uses

Metasploit is forResearch of exploitation techniques

Understanding attackers methods

IDS/IPS testing

Limited pentesting

Demos and presentations

Metasploit isn't for

Script kiddies

Limited and stale exploits


6/22

6

Interfaces

msfconsoleInteractive console interface

msfcli

Command line exploitation

msfpayloadCreate encoded (executable) payloads

msfweb (being reworked)

Because everything has to have a web interface

msfwx GUI (in development)

Point, Click, 0wn

msfapi (in development)

Modularized development platform


7/22

7

Exploits

148 exploits in 2.684 rewritten exploits for3.0

hpux / irix / linux / macosx / solaris / windows / etc

Application specific exploits

Browsers, backup, ftp, etcExploits are passive (client bugs) or active (serviceexploitation)

Mostly remote exploits, no local privilege escalation(yet)

Organized as platform/application/exploitwindows/browser/ms06_001_wmf_setabortproc

osx/samba/trans2open


8/22


9/22

9

IDS Evasion

Encoderschange payload, sometimes exploit signature

Multiple NOP (No Operation) generators

ips_filter plugin


10/22


11/22

11

Firewalls != secure

Most common question Im asked:I have a firewall, will that protect me?

Firewalls stop most shotgun and scanning attacks,but:

L7 attacks

Signature evasion

Client side attacks

Often used to create botnets

Human side attacks (L8)

PhishingSocial Engineering

Internet worms are getting rare


12/22


13/22

13

UFBP Tunneling

Metasploit PassivexHttptunnel

Others


14/22

14

UFBPS Tunneling

Outbound HTTPS (tcp/443) allowed out for accessingsecure sites

Banking

Shopping

HTTPS also used to avoid restrictions

Google (cache, mail, talk)

Anonymizer services

SSL encryption bypasses IDS detection


15/22

15

Other related protocols

DNSNstx (ip-over-dns)

OzymanDNS

ICMP (ping)

Ptunnel

itun


16/22


17/22

17

Other problems with firewalls

If it doesnt go through the firewall, the firewall cantdo anything

Wireless

VPN connected systems

The allow any outbound rule

-- enough said


18/22

18

Anatomy of an Attack

Victim clicks URL from email or webInfected sites serves up URL in IFRAME

Victim makes HTTP request to msf web server

Msf web server returns wmf or other client side exploit

PassiveX modifies registry entries onW

indows topermit loading untrusted ActiveX controls

PassiveX loads second stage ActiveX control frommsf web server

PassiveX loads payload dll (Meterpreter, VNC, etc)

from attacker (tunneled over HTTP)


19/22


20/22

20

Blue sky: What is the solution?

Put the PC in a safe, disconnected from powerMarcus Ranums Ultimately Secure Deep packetinspection and application security system

Wirecutters

Allow only limited protocols to trusted (whitelisted)

connections

Dont tunnel stuff over HTTP

IETF ratifies secure protocols


21/22

21

Real world: what helps

Layer 7 firewalls check for protocol conformanceJust because it goes over port 80 doesnt mean itsHTTP

Signatures can catch unsophisticated payloads

Host based signatures are better, as network

permutations are removedStatistical analysis of traffic

Ranums second law of Log Analysis:

The number of times an uninteresting thing happens is aninteresting thing


22/22

22

Quotes (because were geeks)

The only truly secure system is one that is poweredoff, cast in a block of concrete and sealed in a lead-lined room with armed guards. -- Gene Spafford

Most organizations have already given up control

over outgoing traffic. What they dont realize is that,by extension, they have also given up control overincoming traffic. - Marcus Ranum

When you know that youre capable of dealing withwhatever comes, you have the only security the world

has to offer. -- Harry Browne

inside out hacking

Documents